Apple is facing a new security threat, thanks to developments in the spyware/surveillance tool sold by the Israeli firm NSO Group. Via the Financial Times, the Pegasus phone software now not only harvests data from the user’s onboard storage, but also all communications with the connected cloud.
The vulnerability purportedly affects the iPhone and Apple’s iCloud as well as Google Android phones, and even third-party apps installed on the phone that communicate over “encrypted and secure” connections.
The spyware is sold by NSO Group is supposedly only sold to governments to assist with crime investigations, but there are fears that the Pegasus spyware is also used by countries to help enforce authoritarian and dictatorship leadership.
The new version of the Pegasus software is supposedly able to capture and clone the authentication tokens used for services like iCloud. Then, it can essentially construct a man-in-the-middle attack to pretend to be the target user’s device, and download whatever data it pleases from the origin server by making requests that seem to be coming from the origin phone.
It could impersonate the user’s Facebook credentials and download location history, or get messages stored in iCloud for example.
The hack can apparently happen silently and does not require two-factor login prompts or any kind of warning email to be sent out, the normal practice when a legitimate customer tries to sign into their account on a new device.
The vulnerability may affect not just phones; iPads, tablets, and laptops could also be at risk.
In a statement to the Financial Times, Apple did not deny that such a tool could exist. It said that “some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers.”
Tech companies are likely now scrambling to learn more about the technique and look for stronger security protocols to adopt in future.
NSO Group were previously responsible for the widely publicized WhatsApp hack, which provided a vector to install Pegasus spyware on unsuspecting individuals’ phones.